What is the Ohio Data Protection Act?

by Sarah Harvey / November 29th, 2018

During an age when information and data fuels businesses, understanding the value of cybersecurity in protecting data is crucial. Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace every day. That’s why on August 3, 2018, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so. Let’s discuss what the Ohio Data Protection Act requires of businesses and how it can protect them.

What the Ohio Data Protection Act Is and Isn’t

This legislation is a part of CyberOhio, an initiative led by Mike DeWine, Ohio’s Attorney General. CyberOhio aims to help businesses defend themselves against the ever-changing cyber threats. Legislation like the Ohio Data Protection Act is a major component of the CyberOhio initiative. It’s a way to protect businesses and consumers from the harm that data breaches cause.

The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.

The law does not alter any of Ohio’s current breach notification laws, but it does establish a legal safe harbor to be pled as an affirmative defense when a business is accused of failure to implement reasonable information security controls that resulted in a data breach.

Requirements of the Ohio Data Protection Act

A business seeking to comply with the Ohio Data Protection Act must do the following:

Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal and/or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework
Design a cybersecurity program that protects the security and confidentiality of personal and/or restricted information
Design a cybersecurity program that protects against any anticipated threats or hazards to the security or integrity of personal and/or restricted information
Design a cybersecurity program that protects against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud to the individual to whom the information relates

Because there are so many types of businesses in Ohio, the law does take scalability seriously. In 2018, the U.S. Small Business Administration reports that there are over 944,000 small businesses based in Ohio; those businesses must have the same opportunity for compliance as any other size business. The law states that the scope of a business’ cybersecurity program depends on the following factors:

Size and complexity of the business
Nature and scope of the activities of the business
Sensitivity of the information being protected
Cost and availability of tools to improve information security and reduce vulnerabilities
Resources available to the business

Basis for a Cybersecurity Program

The Ohio Data Protection Act has selected five industry-recognized cybersecurity frameworks that businesses should model their cybersecurity programs after. These frameworks include:

NIST Special Publication 800-171
NIST Special Publications 800-53 and 800-53a
FedRAMP
CIS Critical Security Controls for Effective Cyber Defense
ISO 27000 Family – Information Security Management Systems

The law also says that if a business is subject to any other regulations, like HIPAA, FISMA, or PCI, its cybersecurity program must also be compliant.

When a revision to any of the frameworks listed above is released, businesses complying with the Ohio Data Protection Act have one year to conform to the revised edition.

If you are interested in complying with the Ohio Data Protection Act or want to learn more, contact us today. We’d be happy to discuss how your current or future compliance efforts could align with this legislation.